Re: New Probe Points for Unprivileged Users

[Josh Stone <jistone at redhat dot com>]

On 09/10/2009 12:41 PM, Dave Brolley wrote:
> Hi,
> 
> Support for limited probing by unprivileged users (not root, stapdev or 
> stapusr) was recently pushed to our git sources (see the NEWS file). The 
> number and type of probe points available to these users has 
> intentionally been restricted in the early stages of development and 
> testing.
> 
> Overall, the philosophy is that an unprivileged user should not be able 
> to use systemtap to affect the system in ways they would not normally be 
> able to or to obtain information that they would not normally be able to 
> obtain.
> 
> The current set of allowed probes is:
> 
> begin
> begin(N)
> end()
> end(N)
> error
> error(N)
> never
> timer.*
> process.begin
> process.end
> process("xxx").begin
> process("xxx").end
> process(N).begin
> process(N).end
> 
> where process.* probes are restricted to the user's own processes.

Something I just realized even in this set -- the address range checks
for accessing user memory are good, but they also must ensure that the
current process memory belongs to the right euid.  In "timer.*"
especially, and probably also in "end" and "error", the user context
could be anything.

> I would like to expand the list of available probes to include the 
> remainder of the process.* probes where, once again, probes are 
> restricted to the user's own processes. Before doing so, I just wanted 
> to double check that this would not be exposing anything in violation of 
> the philosophy mentioned above. If you see any problems with exposing 
> the probe points below to unprivileged users, for their own processes, 
> then please let me know.

I think all of the process.* are fine -- there's nothing that couldn't
be gotten by the user through other means (gdb, valgrind, etc.).

I'd like to see semko tests though, to assert that all remaining probe
types are properly refused to unprivileged users.

Thanks,

Josh